IOS 10.2.1 正式版推出 - iOS

https://support.apple.com/en-us/HT207482

This document describes the security content of iOS 10.2.1.

iOS 10.2.1

Released January 23, 2017


Auto Unlock 自動解鎖問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響：當Apple watch離開你的手時仍然會自動解鎖
Impact: Auto Unlock may unlock when Apple Watch is off the user's wrist

Description: A logic issue was addressed through improved state management.
CVE-2017-2352: Ashley Fernandez of raptAware Pty Ltd


Contacts 聯絡人問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響：惡意的聯絡人資料卡可能造成程式中止
Impact: Processing a maliciously crafted contact card may lead to unexpected
application termination

Description: An input validation issue existed in the parsing of contact
cards. This issue was addressed through improved input validation.
CVE-2017-2368: Vincent Desmurs (vincedes3)


Kernel 內核
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響：程式利用內核的特殊權限任意執行程式碼
Impact: An application may be able to execute arbitrary code with kernel
privileges

Description: A buffer overflow issue was addressed through improved memory
handling.
CVE-2017-2370: Ian Beer of Google Project Zero


Kernel 內核
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響：程式利用內核的特殊權限任意執行程式碼
Impact: An application may be able to execute arbitrary code with kernel
privileges

Description: A use after free issue was addressed through improved memory
management.
CVE-2017-2360: Ian Beer of Google Project Zero


libarchive 資料庫封存問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響：打開惡意產生的封包可能導致程式碼任意執行
Impact: Unpacking a maliciously crafted archive may lead to arbitrary code
execution

Description: A buffer overflow issue was addressed through improved memory
handling.
CVE-2016-8687: Agostino Sarubbo of Gentoo


WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響：處理惡意網站內容可能導致別的來源的資料流出
Impact: Processing maliciously crafted web content may exfiltrate data
cross-origin

Description: A prototype access issue was addressed through improved
exception handling.
CVE-2017-2350: Gareth Heyes of Portswigger Web Security


WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響：處理惡意網站內容可能導致執行任何程式碼
Impact: Processing maliciously crafted web content may lead to arbitrary code
execution

Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2017-2354: Neymar of Tencent's Xuanwu Lab (tencent.com) working with
Trend Micro's Zero Day Initiative
CVE-2017-2362: Ivan Fratric of Google Project Zero
CVE-2017-2373: Ivan Fratric of Google Project Zero


WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響：處理惡意網站內容可能導致執行任何程式碼
Impact: Processing maliciously crafted web content may lead to arbitrary code
execution

Description: A memory initialization issue was addressed through improved
memory handling.
CVE-2017-2355: Team Pangu and lokihardt at PwnFest 2016


WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響：處理惡意網站內容可能導致執行任何程式碼
Impact: Processing maliciously crafted web content may lead to arbitrary code
execution

Description: Multiple memory corruption issues were addressed through
improved input validation.
CVE-2017-2356: Team Pangu and lokihardt at PwnFest 2016
CVE-2017-2369: Ivan Fratric of Google Project Zero
CVE-2017-2366: Kai Kang of Tencent's Xuanwu Lab (tencent.com)


WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響：處理惡意網站內容可能導致別的來源的資料流出
Impact: Processing maliciously crafted web content may exfiltrate data
cross-origin

Description: A validation issue existed in the handling of page loading. This
issue was addressed through improved logic.
CVE-2017-2363: lokihardt of Google Project Zero
CVE-2017-2364: lokihardt of Google Project Zero


WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響：惡意網站可以打開彈出式視窗
Impact: A malicious website can open popups

Description: An issue existed in the handling of blocking popups. This was
addressed through improved input validation.
CVE-2017-2371: lokihardt of Google Project Zero


WebKit 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響：處理惡意網站內容可能導致別的來源的資料流出
Impact: Processing maliciously crafted web content may exfiltrate data
cross-origin

Description: A validation issue existed in the handling of variable handling.
This issue was addressed through improved validation.
CVE-2017-2365: lokihardt of Google Project Zero


WiFi 問題
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch
6th generation and later
影響：有啟動鎖定的裝置可以在操作下短暫的顯示首頁
Impact: An activation-locked device can be manipulated to briefly present the
home screen

Description: An issue existed with handling user input that caused a device
to present the home screen even when activation locked. This was addressed
through improved input validation.
CVE-2017-2351: Sriram (@Sri_Hxor) of Primefort Pvt. Ltd., Hemanth Joseph

--